The EU AI Act’s high-risk classification for HR AI systems isn’t a technicality — it’s a compliance framework with real enforcement teeth. Fines for non-compliance reach €30 million or 6% of global annual turnover. HR leaders in EU-operating organizations need to understand exactly what these 11 requirements demand before their compliance gap becomes a regulatory incident.

For the broader HR compliance automation framework these requirements fit into, see HR Compliance Automation — Complete 2026 Guide. For the parallel EEOC requirements for US operations, see 9 EEOC AI Compliance Requirements HR Teams Must Meet in 2026.

1. Technical Documentation — Describe Every High-Risk HR AI System

The EU AI Act requires comprehensive technical documentation for every high-risk AI system — including the system’s purpose, the data it was trained on, its performance metrics, its known limitations, and how it integrates with other systems. For HR teams, this means documentation for AI resume parsers, AI interview analysis tools, AI performance management systems, and any AI used for workforce scheduling or monitoring.

Vendor-provided documentation partially satisfies this requirement. You also need documentation of how you’ve configured and integrated the tool — your specific use case, the data you’ve added, the thresholds you’ve set. Vendor documentation + implementation documentation = the full technical documentation package.

Verdict: Start here. Technical documentation is the foundation that all other requirements build on. If you don’t have it, you can’t demonstrate compliance with anything else.

2. Conformity Assessment — Verify Compliance Before Deployment

High-risk AI systems require a conformity assessment before they can be placed on the EU market. For HR AI tools purchased from vendors, the vendor typically holds the CE marking and conformity assessment. Your responsibility is verifying that the vendor has completed this process and that your deployment configuration doesn’t invalidate their assessment.

For custom-built AI systems or significantly modified vendor systems, you need your own conformity assessment. This is a structured evaluation against the EU AI Act’s requirements — conducted either by a third-party notified body or through internal processes for certain system types.

Verdict: For vendor tools with CE marking, this requirement is largely a procurement checklist item. Verify the vendor has it; retain the verification record. For custom systems, engage a notified body early.

3. Human Oversight Mechanisms — Build Override Capability Into Every AI Decision

The EU AI Act requires that high-risk AI systems be designed to allow human oversight — specifically, the ability for humans to understand the system’s output, identify malfunctions, and override or stop the system. For HR applications, this means your hiring and workforce management workflows must have explicit human review steps that cannot be bypassed.

Make.com™ enforces this at the workflow level: the scenario requires a documented human review action before AI-influenced decisions are recorded in your ATS or HRIS. The enforcement is in the workflow architecture, not human memory.

Verdict: This is where most HR teams have the biggest gap. “We have humans making decisions” is not the same as “we have documented evidence that humans exercised oversight on each specific decision.” Build the enforcement mechanism.

4. Transparency to Workers — Disclose AI Used in Workforce Management

Workers must be informed when AI systems are used in decisions that significantly affect them — performance management, productivity monitoring, scheduling decisions. The disclosure must be meaningful (not buried in a privacy policy) and must occur before the AI is used, not after.

For existing employees, this typically requires a specific disclosure communication when new AI tools are deployed. For new hires, the disclosure should be part of onboarding documentation. The compliance record is evidence that the disclosure was provided to each affected worker.

Verdict: Many organizations have privacy notices that mention AI in broad terms. The EU AI Act requires specific disclosure about specific AI systems used in specific decision contexts. Generic notices don’t satisfy this.

5. Transparency to Candidates — Systematic Disclosure in Hiring

Job applicants must be informed when AI tools are used in their hiring assessment. As with worker disclosure, this must be specific and prior — not a general statement in the terms and conditions that candidates click through without reading.

The practical implementation: disclosure language is embedded in the application form at the point where AI tools are first used. The application system logs that the disclosure was presented. The log is retained with the candidate record for the required period.

Verdict: Systematic disclosure to candidates is lower-friction than it looks. The technical implementation is straightforward. The organizational work is getting legal to approve the disclosure language and getting IT to embed it in the right place.

6. Accuracy and Robustness — Test and Document Performance

High-risk AI systems must achieve appropriate levels of accuracy and perform consistently across relevant user populations. For HR AI tools, this means you need testing records demonstrating performance on your specific candidate or employee population — not just vendor-reported benchmark accuracy on curated test sets.

This connects directly to the adverse impact analysis requirement from EEOC guidance: performance testing on your population produces the data needed for both EU AI Act accuracy documentation and EEOC adverse impact analysis. Run one test; satisfy two requirements.

Verdict: Don’t rely on vendor benchmarks for this. Test on your data, document the results, and retain the documentation. Quarterly accuracy spot-checks produce the ongoing performance record the regulation requires.

7. Data Governance — Manage Training and Operational Data

The EU AI Act requires that training data used for high-risk AI systems be subject to appropriate data governance practices — including relevance assessment, bias examination, and documentation. For HR AI tools, this primarily applies at the vendor level (they govern the training data), but you need documentation of your assessment of their data governance practices.

Operational data — the candidate and employee data your organization provides as input to AI tools — is subject to GDPR as well as the AI Act. Data processing agreements with AI vendors must cover both regulatory frameworks.

Verdict: Data governance documentation is a procurement and vendor management function. Add EU AI Act data governance assessment to your vendor onboarding and annual review process.

8. Record-Keeping — Automated Logs of System Operation

High-risk AI systems must automatically log their operation — input data, outputs, decision dates, human oversight actions. These logs must be retained for the period defined by applicable sectoral law, and for HR applications, a minimum that allows investigation of complaints and regulatory inquiries.

Make.com™ scenario execution logs capture every step of your compliance workflow — timestamps, data inputs, outputs, and routing decisions. These logs are the record-keeping artifact the EU AI Act requires. Ensure your log retention policy matches the required period and that logs are stored in a recoverable system.

Verdict: If you’re using Make.com™ for compliance workflow automation, your logging infrastructure is largely built. The work is ensuring log retention periods are set correctly and that logs are exported and archived before Make.com™’s own retention period expires.

9. Post-Market Monitoring — Track Performance After Deployment

High-risk AI systems require ongoing monitoring after deployment — tracking performance, identifying issues, and reporting serious incidents. For HR AI tools, this means building a continuous monitoring process into your operations, not just testing at implementation.

Monthly accuracy spot-checks, quarterly adverse impact analysis, and annual comprehensive reviews create the monitoring record. Make.com™ can automate the data collection for each of these — pulling metrics from your ATS and AI tools, compiling into reports, and routing to the compliance owner for review.

Verdict: Post-market monitoring is operationally continuous. Assign ownership, set calendar triggers, and build the data collection automation before go-live. Don’t create the monitoring process retroactively.

10. Incident Reporting — Report Serious Incidents to National Authorities

Serious incidents involving high-risk AI systems — meaning incidents that result in death, serious injury, significant property damage, or serious harm to fundamental rights — must be reported to the relevant national authority within defined timeframes. For HR applications, the most likely triggering scenario is an AI system malfunction that results in systematic discrimination.

Your incident response process needs to include AI-specific incident criteria and the notification process for your relevant national authority. This is a compliance process design task, not a technical one.

Verdict: Most HR teams will never trigger an incident report. But the process needs to exist and be documented. Include AI incident criteria in your existing HR compliance incident response procedure.

11. Registration — Register High-Risk Systems in the EU Database

Providers (vendors) of high-risk AI systems must register them in the EU database. Deployers (employers using these tools) have lighter registration obligations under current guidance, but must maintain records demonstrating they verified the provider’s registration. Check the EU AI Act database for your vendors’ systems before deployment and retain the verification record.

Verdict: This is a procurement checklist item for most HR teams. Add “verify EU AI Act database registration” to your AI vendor onboarding process. The EU database is publicly accessible.

How We Evaluated These Requirements

These requirements are drawn from the EU AI Act (Regulation 2024/1689), the European Commission’s guidance documents, and published compliance analysis from EU regulatory bodies. Applicability to specific HR use cases reflects interpretation of the Act’s high-risk classification criteria. This is not legal advice — engage EU-qualified legal counsel for compliance guidance specific to your organization and member states of operation.